Paypal Users Receive Cryptocurrency Warning Email

This week Paypal users reported receiving an official-looking email from Paypal, warning users about “activity [involving] the trading or transfer of crypto currency [sic] which is prohibited under our Acceptable Use Policy,” asking the receiver to “cease any activity that results in the trading or transfer of crypto currency.”

Paypal Users Receive Cryptocurrency Warning Email

“I am a PayPal user,” David Veksler of the Foundation for Economic Education and The Atlanta Bitcoin Embassy explained to News.Bitcoin.com. “My account is 17 years old. This morning I got the email linked in my message.” Friday, March 16 Mr. Veksler, and presumably a sizeable chunk of Paypal’s nearly 200 million users, received an official-looking email seemingly from the company, complete with letterhead, titled Cryptocurrency Warning.

The two decades-old popular online payments system includes founders such as Peter Thiel and Elon Musk. The company’s revenue routinely ranks in billions, and it operates in over 200 markets and in 25 currencies around the world. Paypal is often seen as a direct competitor to cryptocurrencies, which wish to remove its centralized business model from everyday transactions. The company has made conflicting statements about crypto in general and bitcoin in particular, but there’s no denying they can see the future, as just this month it was discovered the company applied for crypto-related patents.

After appreciating their business, the receiver of Cryptocurrency Warning was scolded: “While reviewing your account, we noticed that your activity involves the trading or transfer of crypto currency which is prohibited under our Acceptable Use Policy. As this is not permitted on the Paypal platform we ask that you cease any activity that results in the trading or transfer of crypto currency. If you continue to engage in this activity on Paypal, we’ll be unable to continue offering our services.”

“It appears to be legit,” Mr. Veksler worried. “I checked the from address and the Sender ID. Then I called Paypal support and got a [customer service representative] on the line. She said that from the email address, it does not appear to be legitimate. She then checked my account and said that it is fine – there are no flags of any kind on it. I then posted on the Paypal community site and Reddit, and a bunch of people replied saying that they got the same email.”

No Formal Statement as of This Writing

For its part, the company has issued no formal statement, preferring, it seems, to take the complaints one at a time rather than whip up a frenzy. The potential problem with this outlook is not everyone understands information technology semantics or where to go to ultimately ask for clarification. Mr. Veksler has a Masters degree in the science, and even he was a little put off. It’s not unreasonable to believe company users would feel as though buying and selling crypto were somehow wrong.

“I don’t know,” Mr. Veksler continued. “All I can tell you is that customer support said it’s fake but the email looks legit, including the digital signatures. I’ve never bought or sold crypto with my account.” Reading of the company’s policy makes no mention of prohibiting cryptocurrency trading of any kind. On the company’s community page, it appears to have labeled the issue solved, with users confirming through representatives the email is indeed a fake.

At issue now is how the emails were spoofed. Perps were able to secure an official company website email string and users’ names. “There is no domain verification process for sender address in the SMTP protocol,” Mr. Veksler pointed out. “There is a separate, optional Sender ID framework which some providers use. This email is also signed with that protocol. I cannot explain that.”

A forum commenter insisted, “It’s pretty easy. Anybody can download a number of hacked BTC-related databases. (bitcointalk database, btc-e database, etc.). Then the scammer takes the list of BTC-related emails and cross references it with another database that includes full names. Now the scammer has a list of BTC users’ full names and e-mail addresses. (Also in many cases username, password hash, DOB, meatspace address, ssn, all sorts of other private data depending on what database they’re using.) Anybody with a semester of computer science class should be able to write a script that does this. Then just send out some spam emails.” For a deeper dive on the hacking details, Nadeem Walayat has some interesting theories about the affair.